in Container App, there is now the ability to enable Built-in Authentication (similar to what has been available for some time now in App Services) When adding the Microsoft Identity Provider, we can define several Additional Checks: Client application requirement Identity requirement However in App Services, there is a 3rd check available: Allowed tenants my question is the following: How can I enable an "Allowed Tenant" check during the Built-in Authentication on Container Apps...to limit access to my app to Users from a list of specific tenants. Thanks

@Gaetan Willems , Welcome to Microsoft Q&A Platform! Thanks for reaching out your query on limiting access to container app to Users from a list of specific tenants. The built-in authentication in Azure Container Apps is designed for simplicity and flexibility, meaning that it does not have direct configuration for restricting access to specific tenants (as you would with a more complex identity solution). If your tenants use Microsoft Entra ID as the identity provider, you can configure Container Apps to use the /common endpoint to validate user tokens. This ensures that, regardless of the user's Microsoft Entra tenant, their tokens are validated and accepted. You could refer the below documentation on the same https://learn.microsoft.com/en-us/azure/architecture/guide/multitenant/service/container-apps#managed-identities https://learn.microsoft.com/en-us/entra/identity-platform/howto-restrict-your-app-to-a-set-of-users Hope this helps. Do let us know if you any further queries. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

How to enable the check for Allowed Tenants on Container Apps built-in Authentication

Gaetan Willems 0

in Container App, there is now the ability to enable Built-in Authentication (similar to what has been available for some time now in App Services)

When adding the Microsoft Identity Provider, we can define several Additional Checks:

Client application requirement
Identity requirement

User's image

However in App Services, there is a 3rd check available: Allowed tenants

User's image

my question is the following: How can I enable an "Allowed Tenant" check during the Built-in Authentication on Container Apps...to limit access to my app to Users from a list of specific tenants.

Thanks

1 answer

Khadeer Ali 2,525 Reputation points Microsoft Vendor

2025-01-17T16:07:17.21+00:00

@Gaetan Willems ,
Welcome to Microsoft Q&A Platform!

Thanks for reaching out your query on limiting access to container app to Users from a list of specific tenants.

The built-in authentication in Azure Container Apps is designed for simplicity and flexibility, meaning that it does not have direct configuration for restricting access to specific tenants (as you would with a more complex identity solution).

If your tenants use Microsoft Entra ID as the identity provider, you can configure Container Apps to use the /common endpoint to validate user tokens. This ensures that, regardless of the user's Microsoft Entra tenant, their tokens are validated and accepted.

You could refer the below documentation on the same
https://learn.microsoft.com/en-us/azure/architecture/guide/multitenant/service/container-apps#managed-identities

https://learn.microsoft.com/en-us/entra/identity-platform/howto-restrict-your-app-to-a-set-of-users

Hope this helps. Do let us know if you any further queries.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Please sign in to rate this answer.
Gaetan Willems 0 Reputation points

2025-01-20T12:35:15.8566667+00:00

I think there might be a misunderstanding.

If I use the /common endpoint, I will enable access to my container app from every single Microsoft Endpoint.

If I use a specific https://sts.windows.net/ef5ab331-33b8-4f5d-93a7-xxxxxxxxxxxx/v2.0 endpoint, I will restrict the access to my container app to the users from that specific tenant Only.

I need to enable the access to my container app from a limited number of tenants…A specific list of tenants.

I had the exact same problem and discussion with the support team a year ago for App Services.

https://portal.azure.com/#view/Microsoft_Azure_Support/SupportRequestDetails.ReactView/id/%2Fsubscriptions%2F26df0f65-05ae-4cc1-9856-2381ba511123%2Fproviders%2Fmicrosoft.support%2Fsupporttickets%2Fd40f17bb-26a37dbd-06c0b241-a67f-4350-a2ca-336985a8f084

https://feedback.azure.com/d365community/idea/9442f523-d2cc-ee11-92bc-6045bd83e1af

as initially it wasn’t possible to make any restriction when enabling the built-in authentication for App Services.

But then it was added (I don’t know is a result of my cases and/or feedback) but this was absolutely GREAT.

There is now the Client Application, Identity AND Tenant requirements:

The Built-in Authentication wasn’t available previously in Container App and has been added recently…which is also GREAT

But there is only the Client Application and Identity requirements…the “Tenant requirement” is missing.

Considering that this is a simple check against a GUID just like for the Client Application and Identity, there is no technical reason to not have it in Container App, just like it is available in App Services.

Especially since the “learn more” link in the Container App Identity provider setup page takes you to the exact same documentation page as for the App services https://learn.microsoft.com/fr-be/azure/app-service/configure-authentication-provider-aad?tabs=workforce-configuration#use-a-built-in-authorization-policy

This requirement for Tenant restriction was asked by many many others on App Services and I’m 100% sure it will be requested and useful to just as many people on Container Apps.

Thanks in advance for your help,

Best regards,

G.

Khadeer Ali 2,525 Reputation points Microsoft Vendor

2025-01-21T09:50:07.89+00:00

Gaetan Willems,

I understand that your requirement I would request you to raise a feedback request here: Create a forum and category for Container Apps · Community

Wherein our engineering team will monitor the request, will implement them accordingly based on the feasibility.

Hope this helps let me know if you have any further question on this.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

How to enable the check for Allowed Tenants on Container Apps built-in Authentication

1 answer

Your answer